CVE-2016-8622

The URL percent-encoding decode function in libcurl before 7.51.0 is called`curl_easy_unescape`. Internally, even if this function would be made toallocate a unscape destination buffer larger than 2GB, it would return thatnew length in a signed 32 bit integer variable, thus the length would geteither just truncated or both truncated and turned negative. That couldthen lead to libcurl writing outside of its heap based buffer.